Commit Graph

3453 Commits

Author SHA1 Message Date
Simon Butcher
8cf6d31f54 Merge branch fix-base64-arithmetic-overflows
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-02 09:15:05 +00:00
Simon Butcher
0289920d12 Merge branch mbedtls-1.3-fix-arithmetic-overflows
Fix potential integer overflows in the following functions:

 * mbedtls_md2_update()
 * mbedtls_cipher_update()
 * mbedtls_ctr_drbg_reseed()

This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-01 21:46:47 +00:00
Andres Amaya Garcia
f1d52d08ea Merge pull request #780 from sbutcher-arm/openssl-link-lib-fix
Adds dl link library to OpenSSL example builds
2017-02-01 13:55:15 +00:00
Simon Butcher
40d8cc7181 Adds dl link library to OpenSSL example builds
The example o_p_test uses OpenSSL. On some platforms that fails to build
unless the dl library is included as a static link library.
2017-02-01 12:38:44 +00:00
Andres AG
28ba747c8c Add tests for out flags from x509_crt_verify_top()
The tests load certificate chains from files. The CA chains contain a
past or future certificate and an invalid certificate. The test then
checks that the flags set are BADCERT_EXPIRED or BADCERT_FUTURE.
2017-01-20 17:12:43 +00:00
Andres AG
2f3fe70f7e Fix verify out flags from x509_crt_verify_top()
This change fixes a regression introduced by an earlier commit that
modified x509_crt_verify_top() to ensure that valid certificates
that are after past or future valid in the chain are processed. However
the change introduced a change in behaviour that caused the
verification flags BADCERT_EXPIRED and BADCERT_FUTURE to always be set
whenever there is a failure in the verification regardless of the cause.

The fix maintains both behaviours:
  * Ensure that valid certificates after future and past are verified
  * Ensure that the correct verification flags are set.

To do so, a temporary pointer to the first future or past valid
certificate is maintained while traversing the chain. If a truly valid
certificate is found then that one is used, otherwise if no valid
certificate is found and the end of the chain is reached, the program
reverts back to using the future or past valid certificate.
2017-01-20 17:12:36 +00:00
Andres AG
67c6df4a8a Add test for infinite loop in CRL parse 2017-01-19 17:16:47 +00:00
Andres AG
e567101f6b Fix CRL parsing to avoid infinite loop
This patch modifies the function mbedtls_x509_crl_parse() to ensure
that a CRL in PEM format with trailing characters after the footer does
not result in the execution of an infinite loop.
2017-01-19 16:57:16 +00:00
Andres AG
3e3698ca30 Fix integer overflow in mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-01-18 17:30:29 +00:00
Andres Amaya Garcia
593e8b2793 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-01-18 13:56:58 +00:00
Andres AG
f0a401f080 Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
POLARSSL_PEM_PARSE_C.
2016-12-07 16:11:17 +00:00
Andres AG
fada2e9f3e Add tests for overreads in pem_read_buffer() 2016-11-21 11:34:55 +00:00
Andres AG
d3cbc15951 Fix buffer overreads in mbedtls_pem_read_buffer() 2016-11-21 11:25:17 +00:00
Simon B
a697bf503a Fix for MSVC Compiler warnings
Fixes Microsoft Visual C compiler warnings in multiple files. All issues
with type mismatches.
2016-11-10 15:40:53 +00:00
Simon Butcher
c1d54bb7b2 Update library version to 1.3.18 2016-10-17 23:40:14 +01:00
Simon Butcher
2d0ffbbdc7 Fix integration of bugfix for #626
Adds check for validity of date in x509_get_time() back in, as it was
lost in the merge.
2016-10-17 22:41:54 +01:00
Simon Butcher
2261f198ee Merge branch 'mbedtls-1.3' 2016-10-17 16:09:06 +01:00
Simon Butcher
91fa80430d Merge branch 'mbedtls-1.3' 2016-10-17 16:05:55 +01:00
Simon Butcher
000d94d67a Merge branch 'mbedtls-1.3'
Conflicts:
	ChangeLog
2016-10-17 16:05:09 +01:00
Simon Butcher
fd8d7991a0 Tidied up style and phrasing of ChangeLog 2016-10-16 00:48:37 +01:00
Simon Butcher
123fb027dd Update all.sh test script
Various fixes to the all.sh script.
 * support for two different versions of OpenSSL and GNUTLS, to allow testing of
   legacy features, deprecated but not yet removed in the library.
 * additional test builds for server only and client only builds
 * removed error redirection on armcc to allow build errors to be output
 * added tools checking, to ensure the absence of a tool will cause a failure, rather
   than silently failing to execute a test
 * added test for out of tree cmake builds
2016-10-15 22:35:06 +01:00
Simon Butcher
149950d876 Added checks for POLARSSL_SSL_CLI_C
Added additional POLARSSL_SSL_CLI_C preprocessor conditions to suppress warnings on
server only builds.
2016-10-15 22:35:06 +01:00
Simon Butcher
60371454bd Merge branch for fix for #502 - Unchecked calls 2016-10-14 01:10:02 +01:00
Simon Butcher
8a1a91f3da Update features list 2016-10-13 22:11:15 +01:00
Andres AG
0da3e44fea Add check for validity of date in x509_get_time() 2016-10-13 17:00:01 +01:00
Simon Butcher
c176038d73 Update and clean up Changelog for #622 2016-10-13 15:34:27 +01:00
Andres AG
67ae0b9839 Fix sig->tag update in mbedtls_x509_get_sig() 2016-10-13 15:33:07 +01:00
Simon Butcher
6522fd382c Updated Changelog for fix #599 2016-10-13 14:35:29 +01:00
Janos Follath
30b273c78e Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:34:35 +01:00
Simon Butcher
aac152328d Add extra compilation conditions to X.509 samples
The sample applications programs/pkey/cert_req.c and
programs/pkey/cert_write.c use the library functions mbedtls_pk_write_csr_pem()
and mbedtls_pk_write_crt_pem() respectively and programs/pkey/gen_key.c uses
the library function mbedtls_pk_write_key_pem().

These are dependent on the configuration option POLARSSL_PEM_WRITE_C. If the
option isn't defined the build breaks.

This change adds the compilation condition POLARSSL_PEM_WRITE_C to these
sample applications.
2016-10-13 14:31:13 +01:00
Simon Butcher
d6e876cf34 Actually apply debug_level settings in cert_app 2016-10-13 14:30:24 +01:00
Simon Butcher
c4363393ad Fix guards in SSL for ECDH key exchanges 2016-10-13 14:29:39 +01:00
Simon Butcher
5f81a2d2df Fix for #441 - crypt and hash gcm (#546)
* Fix crypt_and_hash to support decrypting GCM encrypted files

* Fix documentation in crypt_and_hash for the generic case

* Remove unused lastn from crypt_and_hash

lastn is not used with the cipher layer as it already provides padding
and understanding of length of the original data.

Backport of fix by Paul Bakker.
2016-10-13 14:28:40 +01:00
Andres AG
5a62dd4a5a Fix skipped test dependency in x509parse
Replace MBEDTLS_ with POLARSSL_ in the test dependency for x509parse,
otherwise tests are always skipped because dependencies are never
satisfied.
2016-10-13 14:28:30 +01:00
Janos Follath
ae01c3cc62 X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-10-13 14:26:57 +01:00
Simon Butcher
c9b564e64c Update Changelog for fix #559 2016-10-13 14:24:03 +01:00
Simon Butcher
394d65d1bb Update for ChangeLog for fixes for cert_app 2016-10-13 14:23:57 +01:00
Simon Butcher
c112d21076 Update to ChangeLog for bug #428 2016-10-13 14:23:46 +01:00
Simon Butcher
cb60bfb52d Update ChangeLog for fix to crypt_and_hash #441 2016-10-13 14:23:15 +01:00
Janos Follath
24f4d7f95e X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-10-13 14:21:24 +01:00
Andres AG
a16d684df3 Add test for bounds in X509 DER write funcs 2016-10-13 14:20:22 +01:00
Andres AG
0c12bd69f5 Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and
mbedtls_x509write_csr_der before the signature is written to buf
using memcpy().
2016-10-13 14:20:14 +01:00
Janos Follath
441d6f9833 Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:14:16 +01:00
Simon Butcher
696f92e9b4 Add simple test for repeated IVs when using AEAD
In a USENIX WOOT '16 paper the authors exploit implementation
mistakes that cause Initialisation Vectors (IV) to repeat. This
did not happen in mbed TLS, and this test makes sure that this
won't happen in the future either.

A new test option is introduced to ssl-opt.sh that checks the server
and client logs for a pattern and fails in case there are any
duplicates in the lines following the matching ones. (This is
necessary because of the structure of the logging)

Added a test case as well to utilise the new option. This test forces
the TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 ciphersuite to make the
client and the server use an AEAD cipher.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:13:17 +01:00
Simon Butcher
1227d7cdf1 Added credit to Changelog for fix #558 2016-10-13 12:54:33 +01:00
Janos Follath
bfcd032f9d Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 12:54:33 +01:00
Simon Butcher
e337ee647f Clarified Changelog for fix #602 2016-10-13 12:54:32 +01:00
Andres AG
6ad5d9450a Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-13 12:54:32 +01:00
Simon Butcher
6b8d9cffc2 Updated Changelog for fix #599 2016-10-13 12:54:32 +01:00
Andres AG
57e6e8fbb7 Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-13 12:54:32 +01:00